Documentation ¶
Index ¶
- Constants
- func EscapeJSONPointer(s string) string
- func Init(pod *corev1.Pod, cfg AgentConfig) error
- func ShouldInject(pod *corev1.Pod) (bool, error)
- type Agent
- func (a *Agent) ContainerConfigMapVolume() corev1.Volume
- func (a *Agent) ContainerEnvVars(init bool) ([]corev1.EnvVar, error)
- func (a *Agent) ContainerExtraSecretVolume() corev1.Volume
- func (a *Agent) ContainerInitSidecar() (corev1.Container, error)
- func (a *Agent) ContainerSidecar() (corev1.Container, error)
- func (a *Agent) ContainerTLSSecretVolume() corev1.Volume
- func (a *Agent) ContainerTokenVolume() []corev1.Volume
- func (a *Agent) ContainerVolumeMounts() []corev1.VolumeMount
- func (a *Agent) ContainerVolumes() []corev1.Volume
- func (a *Agent) Patch() ([]byte, error)
- func (a *Agent) Validate() error
- type AgentConfig
- type AutoAuth
- type Cache
- type CachePersist
- type Config
- type Listener
- type Method
- type Secret
- type Sink
- type Template
- type Vault
- type VaultAgentCache
- type VaultConfig
Constants ¶
const ( DefaultVaultImage = "vault:1.7.0" DefaultVaultAuthType = "kubernetes" DefaultVaultAuthPath = "auth/kubernetes" DefaultAgentRunAsUser = 100 DefaultAgentRunAsGroup = 1000 DefaultAgentRunAsSameUser = false DefaultAgentAllowPrivilegeEscalation = false DefaultAgentDropCapabilities = "ALL" DefaultAgentSetSecurityContext = true DefaultAgentReadOnlyRoot = true DefaultAgentCacheEnable = "false" DefaultAgentCacheUseAutoAuthToken = "true" DefaultAgentCacheListenerPort = "8200" DefaultAgentCacheExitOnErr = false DefaultAgentUseLeaderElector = false DefaultAgentInjectToken = false )
const ( // AnnotationAgentStatus is the key of the annotation that is added to // a pod after an injection is done. // There's only one valid status we care about: "injected". AnnotationAgentStatus = "vault.hashicorp.com/agent-inject-status" // AnnotationAgentInject is the key of the annotation that controls whether // injection is explicitly enabled or disabled for a pod. This should // be set to a true or false value, as parseable by strconv.ParseBool AnnotationAgentInject = "vault.hashicorp.com/agent-inject" // AnnotationAgentInjectSecret is the key annotation that configures Vault // Agent to retrieve the secrets from Vault required by the app. The name // of the secret is any unique string after "vault.hashicorp.com/agent-inject-secret-", // such as "vault.hashicorp.com/agent-inject-secret-foobar". The value is the // path in Vault where the secret is located. AnnotationAgentInjectSecret = "vault.hashicorp.com/agent-inject-secret" // AnnotationAgentInjectFile is the key of the annotation that contains the // name (and optional path) of the file to create on disk. The name of the // secret is the string after "vault.hashicorp.com/agent-inject-file-", and // should map to the same unique value provided in // "vault.hashicorp.com/agent-inject-secret-". The value is the filename and // path in the secrets volume where the vault secret will be written. The // container mount path of the secrets volume may be modified with the // secret-volume-path annotation. AnnotationAgentInjectFile = "vault.hashicorp.com/agent-inject-file" // AnnotationAgentInjectTemplate is the key annotation that configures Vault // Agent what template to use for rendering the secrets. The name // of the template is any unique string after "vault.hashicorp.com/agent-inject-template-", // such as "vault.hashicorp.com/agent-inject-template-foobar". This should map // to the same unique value provided in "vault.hashicorp.com/agent-inject-secret-". // If not provided, a default generic template is used. AnnotationAgentInjectTemplate = "vault.hashicorp.com/agent-inject-template" // AnnotationAgentInjectDefaultTemplate sets the default template type. Possible values // are "json" and "map". AnnotationAgentInjectDefaultTemplate = "vault.hashicorp.com/agent-inject-default-template" // AnnotationAgentInjectTemplateFile is the optional key annotation that configures Vault // Agent what template on disk to use for rendering the secrets. The name // of the template is any unique string after "vault.hashicorp.com/agent-inject-template-file-", // such as "vault.hashicorp.com/agent-inject-template-file-foobar". This should map // to the same unique value provided in "vault.hashicorp.com/agent-inject-secret-". // The value is the filename and path of the template used by the agent to render the secrets. // If not provided, the template content key annotation is used. AnnotationAgentInjectTemplateFile = "vault.hashicorp.com/agent-inject-template-file" // AnnotationAgentInjectToken is the annotation key for injecting the // auto-auth token into the secrets volume (e.g. /vault/secrets/token) AnnotationAgentInjectToken = "vault.hashicorp.com/agent-inject-token" // AnnotationAgentInjectCommand is the key annotation that configures Vault Agent // to run a command after the secret is rendered. The name of the template is any // unique string after "vault.hashicorp.com/agent-inject-command-". This should map // to the same unique value provided in "vault.hashicorp.com/agent-inject-secret-". // If not provided (the default), no command is executed. AnnotationAgentInjectCommand = "vault.hashicorp.com/agent-inject-command" // AnnotationAgentImage is the name of the Vault docker image to use. AnnotationAgentImage = "vault.hashicorp.com/agent-image" // AnnotationAgentRequestNamespace is the Kubernetes namespace where the request // originated from. AnnotationAgentRequestNamespace = "vault.hashicorp.com/agent-request-namespace" // AnnotationAgentInitFirst makes the initialization container the first container // to run when a pod starts. Default is last. AnnotationAgentInitFirst = "vault.hashicorp.com/agent-init-first" // AnnotationAgentPrePopulate controls whether an init container is included // to pre-populate the shared memory volume with secrets prior to the application // starting. AnnotationAgentPrePopulate = "vault.hashicorp.com/agent-pre-populate" // AnnotationAgentPrePopulateOnly controls whether an init container is the only // injected container. If true, no sidecar container will be injected at runtime // of the application. AnnotationAgentPrePopulateOnly = "vault.hashicorp.com/agent-pre-populate-only" // AnnotationAgentConfigMap is the name of the configuration map where Vault Agent // configuration file and templates can be found. AnnotationAgentConfigMap = "vault.hashicorp.com/agent-configmap" // AnnotationAgentExtraSecret is the name of a Kubernetes secret that will be mounted // into the Vault agent container so that the agent config can reference secrets. AnnotationAgentExtraSecret = "vault.hashicorp.com/agent-extra-secret" // AnnotationAgentLimitsCPU sets the CPU limit on the Vault Agent containers. AnnotationAgentLimitsCPU = "vault.hashicorp.com/agent-limits-cpu" // AnnotationAgentLimitsMem sets the memory limit on the Vault Agent containers. AnnotationAgentLimitsMem = "vault.hashicorp.com/agent-limits-mem" // AnnotationAgentRequestsCPU sets the requested CPU amount on the Vault Agent containers. AnnotationAgentRequestsCPU = "vault.hashicorp.com/agent-requests-cpu" // AnnotationAgentRequestsMem sets the requested memory amount on the Vault Agent containers. AnnotationAgentRequestsMem = "vault.hashicorp.com/agent-requests-mem" // AnnotationAgentRevokeOnShutdown controls whether a sidecar container will revoke its // own Vault token before shutting down. If you are using a custom agent template, you must // make sure it's written to `/home/vault/.vault-token`. Only supported for sidecar containers. AnnotationAgentRevokeOnShutdown = "vault.hashicorp.com/agent-revoke-on-shutdown" // AnnotationAgentRevokeGrace sets the number of seconds after receiving the signal for pod // termination that the container will attempt to revoke its own Vault token. Defaults to 5s. AnnotationAgentRevokeGrace = "vault.hashicorp.com/agent-revoke-grace" // AnnotationVaultNamespace is the Vault namespace where secrets can be found. AnnotationVaultNamespace = "vault.hashicorp.com/namespace" // AnnotationAgentRunAsUser sets the User ID to run the Vault Agent containers as. AnnotationAgentRunAsUser = "vault.hashicorp.com/agent-run-as-user" // AnnotationAgentRunAsGroup sets the Group ID to run the Vault Agent containers as. AnnotationAgentRunAsGroup = "vault.hashicorp.com/agent-run-as-group" // AnnotationAgentRunAsSameUser sets the User ID of the injected Vault Agent // containers to the User ID of the first application container in the Pod. // Requires Spec.Containers[0].SecurityContext.RunAsUser to be set in the // Pod Spec. AnnotationAgentRunAsSameUser = "vault.hashicorp.com/agent-run-as-same-user" // AnnotationAgentSetSecurityContext controls whether a SecurityContext (uid // and gid) is set on the injected Vault Agent containers AnnotationAgentSetSecurityContext = "vault.hashicorp.com/agent-set-security-context" // AnnotationVaultService is the name of the Vault server. This can be overridden by the // user but will be set by a flag on the deployment. AnnotationVaultService = "vault.hashicorp.com/service" // AnnotationProxyAddress is the HTTP proxy to use when talking to the Vault server. AnnotationProxyAddress = "vault.hashicorp.com/proxy-address" // AnnotationVaultTLSSkipVerify allows users to configure verifying TLS // when communicating with Vault. AnnotationVaultTLSSkipVerify = "vault.hashicorp.com/tls-skip-verify" // AnnotationVaultTLSSecret is the name of the Kubernetes secret containing // client TLS certificates and keys. AnnotationVaultTLSSecret = "vault.hashicorp.com/tls-secret" // AnnotationVaultTLSServerName is the name of the Vault server to verify the // authenticity of the server when communicating with Vault over TLS. AnnotationVaultTLSServerName = "vault.hashicorp.com/tls-server-name" // AnnotationVaultCACert is the path of the CA certificate used to verify Vault's // CA certificate. AnnotationVaultCACert = "vault.hashicorp.com/ca-cert" // AnnotationVaultCAKey is the path of the CA key used to verify Vault's CA. AnnotationVaultCAKey = "vault.hashicorp.com/ca-key" // AnnotationVaultClientCert is the path of the client certificate used to communicate // with Vault over TLS. AnnotationVaultClientCert = "vault.hashicorp.com/client-cert" // AnnotationVaultClientKey is the path of the client key used to communicate // with Vault over TLS. AnnotationVaultClientKey = "vault.hashicorp.com/client-key" // AnnotationVaultClientMaxRetries is the number of retry attempts when 5xx errors are encountered. AnnotationVaultClientMaxRetries = "vault.hashicorp.com/client-max-retries" // AnnotationVaultClientTimeout sets the request timeout when communicating with Vault. AnnotationVaultClientTimeout = "vault.hashicorp.com/client-timeout" // AnnotationVaultLogLevel sets the Vault Agent log level. AnnotationVaultLogLevel = "vault.hashicorp.com/log-level" // AnnotationVaultLogFormat sets the Vault Agent log format. AnnotationVaultLogFormat = "vault.hashicorp.com/log-format" // AnnotationVaultRole specifies the role to be used for the Kubernetes auto-auth // method. AnnotationVaultRole = "vault.hashicorp.com/role" // AnnotationVaultAuthType specifies the auto-auth method type to be used. AnnotationVaultAuthType = "vault.hashicorp.com/auth-type" // AnnotationVaultAuthPath specifies the mount path to be used for the auto-auth method. AnnotationVaultAuthPath = "vault.hashicorp.com/auth-path" // AnnotationVaultAuthConfig specifies the Auto Auth Method configuration parameters. // The name of the parameter is any unique string after "vault.hashicorp.com/auth-config-", // such as "vault.hashicorp.com/auth-config-foobar". AnnotationVaultAuthConfig = "vault.hashicorp.com/auth-config" // AnnotationVaultSecretVolumePath specifies where the secrets are to be // Mounted after fetching. AnnotationVaultSecretVolumePath = "vault.hashicorp.com/secret-volume-path" // AnnotationPreserveSecretCase if enabled will preserve the case of secret name // by default the name is converted to lower case. AnnotationPreserveSecretCase = "vault.hashicorp.com/preserve-secret-case" // AnnotationAgentCacheEnable if enabled will configure the sidecar container // to enable agent caching AnnotationAgentCacheEnable = "vault.hashicorp.com/agent-cache-enable" // AnnotationAgentCacheUseAutoAuthToken configures the agent cache to use the // auto auth token or not. Can be set to "force" to force usage of the auto-auth token AnnotationAgentCacheUseAutoAuthToken = "vault.hashicorp.com/agent-cache-use-auto-auth-token" // AnnotationAgentCacheListenerPort configures the port the agent cache should listen on AnnotationAgentCacheListenerPort = "vault.hashicorp.com/agent-cache-listener-port" // AnnotationAgentCacheExitOnErr configures whether the agent will exit on an // error while restoring the persistent cache AnnotationAgentCacheExitOnErr = "vault.hashicorp.com/agent-cache-exit-on-err" // AnnotationAgentCopyVolumeMounts is the name of the container or init container // in the Pod whose volume mounts should be copied onto the Vault Agent init and // sidecar containers. Ignores any Kubernetes service account token mounts. AnnotationAgentCopyVolumeMounts = "vault.hashicorp.com/agent-copy-volume-mounts" )
const ( DefaultMapTemplate = "{{ with secret \"%s\" }}{{ range $k, $v := .Data }}{{ $k }}: {{ $v }}\n{{ end }}{{ end }}" DefaultJSONTemplate = "{{ with secret \"%s\" }}{{ .Data | toJSON }}\n{{ end }}" DefaultTemplateType = "map" PidFile = "/home/vault/.pid" TokenFile = "/home/vault/.vault-token" )
const ( // https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-cpu DefaultResourceLimitCPU = "500m" DefaultResourceLimitMem = "128Mi" DefaultResourceRequestCPU = "250m" DefaultResourceRequestMem = "64Mi" DefaultContainerArg = "echo ${VAULT_CONFIG?} | base64 -d > /home/vault/config.json && vault agent -config=/home/vault/config.json" DefaultRevokeGrace = 5 DefaultAgentLogLevel = "info" DefaultAgentLogFormat = "standard" )
Variables ¶
This section is empty.
Functions ¶
func EscapeJSONPointer ¶
EscapeJSONPointer escapes a JSON string to be compliant with the JavaScript Object Notation (JSON) Pointer syntax RFC: https://tools.ietf.org/html/rfc6901.
Types ¶
type Agent ¶
type Agent struct { // Annotations are the current pod annotations used to // configure the Vault Agent container. Annotations map[string]string // DefaultTemplate is the default template to be used when // no custom template is specified via annotations. DefaultTemplate string // ImageName is the name of the Vault image to use for the // sidecar container. ImageName string // Inject is the flag used to determine if a container should be requested // in a pod request. Inject bool // InitFirst controls whether an init container is first to run. InitFirst bool // LimitsCPU is the upper CPU limit the sidecar container is allowed to consume. LimitsCPU string // LimitsMem is the upper memory limit the sidecar container is allowed to consume. LimitsMem string // Namespace is the Kubernetes namespace the request originated from. Namespace string // Patches are all the mutations we will make to the pod request. Patches []*jsonpatch.JsonPatchOperation // Pod is the original Kubernetes pod spec. Pod *corev1.Pod // PrePopulate controls whether an init container is added to the request. PrePopulate bool // PrePopulateOnly controls whether an init container is the _only_ container // added to the request. PrePopulateOnly bool // RevokeOnShutdown controls whether a sidecar container will attempt to revoke its Vault // token on shutting down. RevokeOnShutdown bool // RevokeGrace controls after receiving the signal for pod // termination that the container will attempt to revoke its own Vault token. RevokeGrace uint64 // RequestsCPU is the requested minimum CPU amount required when being scheduled to deploy. RequestsCPU string // RequestsMem is the requested minimum memory amount required when being scheduled to deploy. RequestsMem string // Secrets are all the templates, the path in Vault where the secret can be //found, and the unique name of the secret which will be used for the filename. Secrets []*Secret // ServiceAccountName is the Kubernetes service account name for the pod. // This is used when we mount the service account to the Vault Agent container(s). ServiceAccountName string // ServiceAccountPath is the path on disk where the service account JWT // can be located. This is used when we mount the service account to the // Vault Agent container(s). ServiceAccountPath string // Status is the current injection status. The only status considered is "injected", // which prevents further mutations. A user can patch this annotation to force a new // mutation. Status string // ConfigMapName is the name of the configmap a user wants to mount to Vault Agent // container(s). ConfigMapName string // Vault is the structure holding all the Vault specific configurations. Vault Vault // VaultAgentCache is the structure holding the Vault agent cache specific configurations VaultAgentCache VaultAgentCache // RunAsUser is the user ID to run the Vault agent container(s) as. RunAsUser int64 // RunAsGroup is the group ID to run the Vault agent container(s) as. RunAsGroup int64 // RunAsSameID sets the user ID of the Vault agent container(s) to be the // same as the first application container RunAsSameID bool // SetSecurityContext controls whether the injected containers have a // SecurityContext set. SetSecurityContext bool // ExtraSecret is the Kubernetes secret to mount as a volume in the Vault agent container // which can be referenced by the Agent config for secrets. Mounted at /vault/custom/ ExtraSecret string // AwsIamTokenAccountName is the aws iam volume mount name for the pod. // Need this for IRSA aka pod identity AwsIamTokenAccountName string // AwsIamTokenAccountPath is the aws iam volume mount path for the pod // where the JWT would be present // Need this for IRSA aka pod identity AwsIamTokenAccountPath string // CopyVolumeMounts is the name of the container in the Pod whose volume mounts // should be copied into the Vault Agent init and/or sidecar containers. CopyVolumeMounts string // InjectToken controls whether the auto-auth token is injected into the // secrets volume (e.g. /vault/secrets/token) InjectToken bool }
Agent is the top level structure holding all the configurations for the Vault Agent container.
func (*Agent) ContainerConfigMapVolume ¶
ContainerConfigMapVolume returns a volume to mount a config map if the user supplied any.
func (*Agent) ContainerEnvVars ¶
ContainerEnvVars adds the applicable environment vars for the Vault Agent sidecar.
func (*Agent) ContainerExtraSecretVolume ¶
ContainerExtraSecretVolume returns a volume to mount a Kube secret if the user supplied one.
func (*Agent) ContainerInitSidecar ¶
ContainerInitSidecar creates a new init container to be added to the pod being mutated. After Vault 1.4 is released, this can be removed because an exit_after_auth environment variable is available for the agent. This means we won't need to generate two config files.
func (*Agent) ContainerSidecar ¶
ContainerSidecar creates a new container to be added to the pod being mutated.
func (*Agent) ContainerTLSSecretVolume ¶
ContainerTLSSecretVolume returns a volume to mount TLS secrets if the user supplied any.
func (*Agent) ContainerTokenVolume ¶
ContainerTokenVolume returns a volume to mount the home directory where the token sink will write to.
func (*Agent) ContainerVolumeMounts ¶
func (a *Agent) ContainerVolumeMounts() []corev1.VolumeMount
ContainerVolumeMounts mounts the shared memory volume where secrets will be rendered.
func (*Agent) ContainerVolumes ¶
ContainerVolume returns the volume data to add to the pod. This volumes are used for shared data between containers.
type AgentConfig ¶
type AgentConfig struct { Image string Address string AuthType string AuthPath string Namespace string RevokeOnShutdown bool UserID string GroupID string SameID bool SetSecurityContext bool ProxyAddress string DefaultTemplate string ResourceRequestCPU string ResourceRequestMem string ResourceLimitCPU string ResourceLimitMem string }
type AutoAuth ¶
type AutoAuth struct { Method *Method `json:"method,omitempty"` Sinks []*Sink `json:"sink,omitempty"` }
AutoAuth is the configured authentication method and sinks
type Cache ¶
type Cache struct { UseAutoAuthToken string `json:"use_auto_auth_token"` Persist *CachePersist `json:"persist,omitempty"` }
Cache defines the configuration for the Vault Agent Cache
type CachePersist ¶
type CachePersist struct { Type string `json:"type"` Path string `json:"path"` KeepAfterImport bool `json:"keep_after_import,omitempty"` ExitOnErr bool `json:"exit_on_err,omitempty"` ServiceAccountTokenFile string `json:"service_account_token_file,omitempty"` }
CachePersist defines the configuration for persistent caching in Vault Agent
type Config ¶
type Config struct { AutoAuth *AutoAuth `json:"auto_auth"` ExitAfterAuth bool `json:"exit_after_auth"` PidFile string `json:"pid_file"` Vault *VaultConfig `json:"vault"` Templates []*Template `json:"template,omitempty"` Listener []*Listener `json:"listener,omitempty"` Cache *Cache `json:"cache,omitempty"` }
Config is the top level struct that composes a Vault Agent configuration file.
type Listener ¶
type Listener struct { Type string `json:"type"` Address string `json:"address"` TLSDisable bool `json:"tls_disable"` }
Listener defines the configuration for Vault Agent Cache Listener
type Method ¶
type Method struct { Type string `json:"type"` MountPath string `json:"mount_path,omitempty"` WrapTTLRaw interface{} `json:"wrap_ttl,omitempty"` WrapTTL time.Duration `json:"-"` Namespace string `json:"namespace,omitempty"` Config map[string]interface{} `json:"config,omitempty"` }
Method represents the configuration for the authentication backend
type Secret ¶
type Secret struct { // Name of the secret used to identify other annotation directives, and used // as the filename for the rendered secret file (unless FilePathAndName is // specified). Name string // Path in Vault where the secret desired can be found. Path string // Template is the optional custom template to use when rendering the secret. Template string // Template file is the optional path on disk to the custom template to use when rendering the secret. TemplateFile string // Mount Path for the volume holding the rendered secret file MountPath string // Command is the optional command to run after rendering the secret. Command string // FilePathAndName is the optional file path and name for the rendered secret file. FilePathAndName string }
type Sink ¶
type Sink struct { Type string `json:"type"` WrapTTLRaw interface{} `json:"wrap_ttl,omitempty"` WrapTTL time.Duration `json:"-"` DHType string `json:"dh_type,omitempty"` DHPath string `json:"dh_path,omitempty"` AAD string `json:"aad,omitempty"` AADEnvVar string `json:"aad_env_var,omitempty"` Config map[string]interface{} `json:"config,omitempty"` }
Sink defines a location to write the authenticated token
type Template ¶
type Template struct { CreateDestDirs bool `json:"create_dest_dirs,omitempty"` Destination string `json:"destination"` Contents string `json:"contents,omitempty"` LeftDelim string `json:"left_delimiter,omitempty"` RightDelim string `json:"right_delimiter,omitempty"` Command string `json:"command,omitempty"` Source string `json:"source,omitempty"` }
Template defines the Consul Template parameters
type Vault ¶
type Vault struct { // Address is the Vault service address. Address string // ProxyAddress is the proxy service address to use when talking to the Vault service. ProxyAddress string // AuthType is type of Vault Auth Method to use. AuthType string // AuthPath is the Mount Path of Vault Auth Method. AuthPath string // AuthConfig is the Auto Auth Method configuration. AuthConfig map[string]interface{} // CACert is the name of the Certificate Authority certificate // to use when validating Vault's server certificates. CACert string // CAKey is the name of the Certificate Authority key // to use when validating Vault's server certificates. CAKey string // ClientCert is the name of the client certificate to use when communicating // with Vault over TLS. ClientCert string // ClientKey is the name of the client key to use when communicating // with Vault over TLS. ClientKey string // ClientMaxRetries configures the number of retries the client should make // when 5-- errors are received from the Vault server. Default is 2. ClientMaxRetries string // ClientTimeout is the max number in seconds the client should attempt to // make a request to the Vault server. ClientTimeout string // LogLevel sets the Vault Agent log level. Defaults to info. LogLevel string // LogFormat sets the Vault Agent log format. Defaults to standard. LogFormat string // Namespace is the Vault namespace to prepend to secret paths. Namespace string // Role is the name of the Vault role to use for authentication. Role string // TLSSecret is the name of the secret to be mounted to the Vault Agent container // containing the TLS certificates required to communicate with Vault. TLSSecret string // TLSSkipVerify toggles verification of Vault's certificates. TLSSkipVerify bool // TLSServerName is the name of the Vault server to use when validating Vault's // TLS certificates. TLSServerName string }
type VaultAgentCache ¶
type VaultAgentCache struct { // Enable configures whether the cache is enabled or not Enable bool // ListenerPort is the port the cache should listen to ListenerPort string // UseAutoAuthToken configures whether the auto auth token is used in cache requests UseAutoAuthToken string // Persist marks whether persistent caching is enabled or not Persist bool // ExitOnErr configures whether the agent will exit on an error while // restoring the persistent cache ExitOnErr bool }
type VaultConfig ¶
type VaultConfig struct { Address string `json:"address"` CACert string `json:"ca_cert,omitempty"` CAPath string `json:"ca_path,omitempty"` TLSSkipVerify bool `json:"tls_skip_verify,omitempty"` ClientCert string `json:"client_cert,omitempty"` ClientKey string `json:"client_key,omitempty"` TLSServerName string `json:"tls_server_name,omitempty"` }
Vault contains configuration for connecting to Vault servers